Blog

Cybersecurity DNA

Request pricing

Prince of Persia: The Sands of Foudre

Jay Rosenberg

17.08.18 | 12:31 pm

Share:

Introduction

In the past couple years, Palo Alto Networks reported on the “Prince of Persia” malware campaign which is believed to be of Iranian origin and ongoing for more than 10 years. The original research, published in 2016, called the malware Infy and their second report, published in 2017, named the upgraded malware Foudre. The name “Foudre” comes from a string in the binary used to check if the computer is already infected. At the time of their blog post, Palo Alto Networks stated the version of Foudre they observed were versions 1 and 2. We have found new evidence of the Prince of Persia campaign active by finding a new version of the Foudre malware, version 8.

In this blog post, we are only going to focus on the new, unique, interesting features of the new version of Foudre, and its related campaign

(Internal version name of Foudre v8)

No to The Forced Hijab

Similarly to the samples noted in previous reports, this new malware also comes packaged in a WinRAR SFX archive including multiple malicious binaries and a media file. The media file in this case is a video in the MP4 format showing a woman in Iran walking around and at the end pulling off her hijab. In the video, there is text written in Farsi with a hashtag, بنه به حجاب اجباری#, literally translating to “no to the forced hijab.” This hashtag is in reference to protesters in Iran who are protesting the mandatory use of the hijab for women and the video is meant to distract the victim while the Foudre malware gets installed in the background.

(Screenshot from the video bundled in the malware)

Foudre is a remote access tool and has the ability to remotely execute commands, steal information about the infected target (such as keystrokes, process information, etc), and auto-update itself. Most of the code and functionality from the previous versions of Foudre and Infy was reused and can be read about in the reports linked above, so we are only going to focus on the new, unique, interesting features and the linkage of code reuse from previous versions.

Code Reuse

After uploading the WinRAR SFX to Intezer Analyze™, the files inside were statically extracted which reveals 3 binaries, a lockbox3 signature, and the video mentioned above.

New Features/Changes

In the latest version of Foudre, there are 2 modules. One of the modules (i7234.dll) has the export “D1” and the other module (d388) exports “D2” as a function. We are going to refer to the different binaries based on their exports, D1 and D2. The third binary never gets launched and is still under investigation. We will release more details about it on a further date. The WinRAR SFX and D1 module only get executed once. The following features/changes are spread across the WinRAR SFX, D1, and D2:

WinRAR SFX Dropper

WinRAR SFX has icon of girl with hijab from video

Extracts files

Launches D1 ( i7234.dll) with rundll32 and executes export D1

D1

D1 executes the mp4 file

Checks if finds a window “TNRRDPKE2” means it’s already running

Copies D2 and key to %APPDATA% with filenames a.n and p.k and creates a shortcut in the folder named “an.lnk” C:\WINDOWS\system32\rundll32.exe a.n D2 838238125

Deletes these files from TEMP folder

Stores name of D2 (a.n) in HKEY_CURRENT_USER\Software\temp in key called “ran2”

A few of the calculated domains were added to the bottom of the report in the IoCs section. The domains up to week of September 9, 2018 (week 35) have been registered in Panama and resolve to the same IP address 185[.]61[.]154[.]26. The oldest domain using this algorithm we could find that was registered was registered for the week of November 5, 2017.

Conclusion

Due to the content of the video and the information from the reports on previous versions of Foudre, we believe the targets are mostly Iranian citizens. We have registered some of the future generated domains to prevent the attack, and will update the post with information in regards to the infected victims.